jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manfred Baedke (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (OAK-8763) LoginContextProviderImpl uses any subject found in the AccessControlContext.
Date Wed, 04 Dec 2019 18:13:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-8763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988058#comment-16988058
] 

Manfred Baedke edited comment on OAK-8763 at 12/4/19 6:12 PM:
--------------------------------------------------------------

[~angela],

bq. this issue as you reported it is only about the failing logout. so please let me know
if that part is fixed in the environment your have been testing

That was another issue , but yes, these tests no longer fail. 

This issue is not about logout. 
Let me quote from the description:

bq. because JAAS will then silently fail to add principals and credentials.

That's still my concern.

bq.  if an application passes a read-only subject, the session will get the permissions defined
for the specified principals.

You mean the principals found in the readonly subject? 


was (Author: baedke):
[~angela],

bq. this issue as you reported it is only about the failing logout. so please let me know
if that part is fixed in the environment your have been testing

That was another issue , but yes, these tests no longer fail. 

This issue not about logout. 
Let me quote from the description:

bq. because JAAS will then silently fail to add principals and credentials.

That's still my concern.

bq.  if an application passes a read-only subject, the session will get the permissions defined
for the specified principals.

You mean the principals found in the readonly subject? 

> LoginContextProviderImpl uses any subject found in the AccessControlContext.
> ----------------------------------------------------------------------------
>
>                 Key: OAK-8763
>                 URL: https://issues.apache.org/jira/browse/OAK-8763
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: security-spi
>            Reporter: Manfred Baedke
>            Assignee: Angela Schreiber
>            Priority: Minor
>         Attachments: OAK-8763-tests.patch, OAK-8763.patch
>
>
> LoginContextProviderImpl#getLoginContext(...) extracts the most recent subject from the
AccessControlContext and then uses it for either a PreAuthContext or a JaasLoginContext. This
is wrong, because there is no reason to assume that such a subject has anything to do with
Oak. It particularly hurts when it's readonly, because JAAS will then silently fail to add
principals and credentials.
> We would need a way to identify pre-authenticated subjects and subjects that are not
pre-authenticated should not be used to create a JaasLoginContext.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message